ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rle...@apache.org
Subject ambari git commit: AMBARI-21230. Add Kerberos HTTP SPNEGO authentication support to Accumulo (Qin Liu via rlevas)
Date Mon, 19 Jun 2017 16:37:59 GMT
Repository: ambari
Updated Branches:
  refs/heads/branch-2.5 ac01c2773 -> 09944fa58


AMBARI-21230. Add Kerberos HTTP SPNEGO authentication support to Accumulo (Qin Liu via rlevas)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/09944fa5
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/09944fa5
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/09944fa5

Branch: refs/heads/branch-2.5
Commit: 09944fa5884f84fc8d0552b75d7e80f235f76c0e
Parents: ac01c27
Author: Qin Liu <qinliu5678@gmail.com>
Authored: Tue Jun 13 16:41:28 2017 +0200
Committer: Robert Levas <rlevas@hortonworks.com>
Committed: Mon Jun 19 12:37:43 2017 -0400

----------------------------------------------------------------------
 .../timeline/AbstractTimelineMetricsSink.java   | 54 ++++++++++----------
 .../1.6.1.2.2.0/configuration/accumulo-env.xml  |  5 ++
 .../package/scripts/accumulo_configuration.py   |  3 ++
 .../1.6.1.2.2.0/package/scripts/params.py       |  5 +-
 .../package/templates/accumulo_jaas.conf.j2     | 29 +++++++++++
 5 files changed, 67 insertions(+), 29 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
----------------------------------------------------------------------
diff --git a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
index 249d96b..b8cba25 100644
--- a/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
+++ b/ambari-metrics/ambari-metrics-common/src/main/java/org/apache/hadoop/metrics2/sink/timeline/AbstractTimelineMetricsSink.java
@@ -172,23 +172,7 @@ public abstract class AbstractTimelineMetricsSink {
         connection.setRequestProperty(COOKIE, appCookie);
       }
 
-      connection.setRequestMethod("POST");
-      connection.setRequestProperty("Content-Type", "application/json");
-      connection.setRequestProperty("Connection", "Keep-Alive");
-      connection.setConnectTimeout(timeout);
-      connection.setReadTimeout(timeout);
-      connection.setDoOutput(true);
-
-      if (jsonData != null) {
-        try (OutputStream os = connection.getOutputStream()) {
-          os.write(jsonData.getBytes("UTF-8"));
-        }
-      }
-
-      int statusCode = connection.getResponseCode();
-      if (LOG.isDebugEnabled()) {
-        LOG.debug("emitMetricsJson: statusCode = " + statusCode);
-      }
+      int statusCode = emitMetricsJson(connection, timeout, jsonData);
 
       if (statusCode == HttpStatus.SC_UNAUTHORIZED ) {
         String wwwAuthHeader = connection.getHeaderField(WWW_AUTHENTICATE);
@@ -198,18 +182,11 @@ public abstract class AbstractTimelineMetricsSink {
         if (wwwAuthHeader != null && wwwAuthHeader.trim().startsWith(NEGOTIATE))
{
           appCookie = appCookieManager.getAppCookie(connectUrl, true);
           if (appCookie != null) {
+            cleanupInputStream(connection.getInputStream());
+            connection = connectUrl.startsWith("https") ?
+                getSSLConnection(connectUrl) : getConnection(connectUrl);
             connection.setRequestProperty(COOKIE, appCookie);
-
-            if (jsonData != null) {
-              try (OutputStream os = connection.getOutputStream()) {
-                os.write(jsonData.getBytes("UTF-8"));
-              }
-            }
-
-            statusCode = connection.getResponseCode();
-            if (LOG.isDebugEnabled()) {
-              LOG.debug("emitMetricsJson: statusCode2 = " + statusCode);
-            }
+            statusCode = emitMetricsJson(connection, timeout, jsonData);
           }
         } else {
           // no supported authentication type found
@@ -259,6 +236,27 @@ public abstract class AbstractTimelineMetricsSink {
     }
   }
 
+  private int emitMetricsJson(HttpURLConnection connection, int timeout, String jsonData)
throws IOException {
+    connection.setRequestMethod("POST");
+    connection.setRequestProperty("Content-Type", "application/json");
+    connection.setRequestProperty("Connection", "Keep-Alive");
+    connection.setConnectTimeout(timeout);
+    connection.setReadTimeout(timeout);
+    connection.setDoOutput(true);
+
+    if (jsonData != null) {
+      try (OutputStream os = connection.getOutputStream()) {
+        os.write(jsonData.getBytes("UTF-8"));
+      }
+    }
+
+    int statusCode = connection.getResponseCode();
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("emitMetricsJson: statusCode = " + statusCode);
+    }
+    return statusCode;
+  }
+
   protected String getCurrentCollectorHost() {
     String collectorHost;
     // Get cached target

http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
index 1e5eb54..e4aa21e 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/configuration/accumulo-env.xml
@@ -233,6 +233,11 @@ export ACCUMULO_MONITOR_OPTS="-Xmx{{accumulo_monitor_heapsize}}m -Xms{{accumulo_
 export ACCUMULO_GC_OPTS="-Xmx{{accumulo_gc_heapsize}}m -Xms{{accumulo_gc_heapsize}}m"
 export ACCUMULO_GENERAL_OPTS="-XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75
-Djava.net.preferIPv4Stack=true ${ACCUMULO_GENERAL_OPTS}"
 export ACCUMULO_OTHER_OPTS="-Xmx{{accumulo_other_heapsize}}m -Xms{{accumulo_other_heapsize}}m
${ACCUMULO_OTHER_OPTS}"
+{% if security_enabled %}
+export ACCUMULO_TSERVER_OPTS="${ACCUMULO_TSERVER_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}}
-Djavax.security.auth.useSubjectCredsOnly=false"
+export ACCUMULO_MASTER_OPTS="${ACCUMULO_MASTER_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}}
-Djavax.security.auth.useSubjectCredsOnly=false"
+export ACCUMULO_GC_OPTS="${ACCUMULO_GC_OPTS} -Djava.security.auth.login.config={{accumulo_jaas_file}}
-Djavax.security.auth.useSubjectCredsOnly=false"
+{% endif %}
 export ACCUMULO_MONITOR_BIND_ALL={{monitor_bind_str}}
 # what do when the JVM runs out of heap memory
 export ACCUMULO_KILL_CMD='kill -9 %p'

http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
index 25275f8..2629a2a 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/accumulo_configuration.py
@@ -107,6 +107,9 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or
'gc' or '
          content=InlineTemplate(params.server_env_sh_template)
     )
 
+    if  params.security_enabled:
+      accumulo_TemplateConfig("accumulo_jaas.conf", dest_conf_dir)
+
   # create client.conf file
   configs = {}
   if 'client' in params.config['configurations']:

http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
index 150b0a8..a3e9a0b 100644
--- a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/scripts/params.py
@@ -163,6 +163,7 @@ master_hosts = default('/clusterHostInfo/accumulo_master_hosts', [])
 monitor_hosts = default('/clusterHostInfo/accumulo_monitor_hosts', [])
 gc_hosts = default('/clusterHostInfo/accumulo_gc_hosts', [])
 tracer_hosts = default('/clusterHostInfo/accumulo_tracer_hosts', [])
+hostname = status_params.hostname
 
 # security properties
 accumulo_user_keytab = config['configurations']['accumulo-env']['accumulo_user_keytab']
@@ -173,11 +174,13 @@ kinit_path_local = status_params.kinit_path_local
 if security_enabled:
   bare_accumulo_principal = get_bare_principal(config['configurations']['accumulo-site']['general.kerberos.principal'])
   kinit_cmd = format("{kinit_path_local} -kt {accumulo_user_keytab} {accumulo_principal_name};")
+  general_kerberos_keytab = config['configurations']['accumulo-site']['general.kerberos.keytab']
+  general_kerberos_principal = config['configurations']['accumulo-site']['general.kerberos.principal'].replace('_HOST',
hostname.lower())
+  accumulo_jaas_file = format("{server_conf_dir}/accumulo_jaas.conf")
 else:
   kinit_cmd = ""
 
 #for create_hdfs_directory
-hostname = status_params.hostname
 hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab']
 hdfs_user = config['configurations']['hadoop-env']['hdfs_user']
 hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name']

http://git-wip-us.apache.org/repos/asf/ambari/blob/09944fa5/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
new file mode 100644
index 0000000..1ac5cea
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/ACCUMULO/1.6.1.2.2.0/package/templates/accumulo_jaas.conf.j2
@@ -0,0 +1,29 @@
+{#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#}
+
+com.sun.security.jgss.krb5.initiate {
+com.sun.security.auth.module.Krb5LoginModule required
+renewTGT=false
+doNotPrompt=true
+useKeyTab=true
+storeKey=true
+useTicketCache=false
+debug=true
+keyTab="{{general_kerberos_keytab}}"
+principal="{{general_kerberos_principal}}";
+};


Mime
View raw message